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Abstract 

A logic-enriched type theory (LTT) is a type theory extended with a primi- 
tive mechanism for forming and proving propositions. We construct two LTTs, 
named LTTq and LTTq , which we claim correspond closely to the classical pred- 
icative systems of second order arithmetic ACAo and ACA. We justify this claim 
by translating each second-order system into the corresponding LTT, and prov- 
ing that these translations are conservative. This is part of an ongoing research 
project to investigate how LTTs may be used to formalise different approaches 
to the foundations of mathematics. 

The two LTTs we construct are subsystems of the logic-enriched type theory 
LTTw, which is intended to formalise the classical predicative foundation pre- 
sented by Herman Weyl in his monograph Das Kontinuum. The system ACAg 
has also been claimed to correspond to Weyl's foundation. By casting ACAq and 
ACA as LTTs, we are able to compare them with LTTw- It is a consequence 
of the work in this paper that LTTw is strictly stronger than ACAo. 

The conservativity proof makes use of a novel technique for proving one LTT 
conservative over another, involving defining an interpretation of the stronger 
system out of the expressions of the weaker. This technique should be applicable 
in a wide variety of different cases outside the present work. 

Keywords: type theory, logic-enriched type theory, predicativism, Hermann 
Weyl, second order arithmetic 

2000 MSG: 03B15, 03B30, 03B70, 03F25, 03F35, 68T15 



1. Introduction 

A lot of research in the field of mathematical logic has been devoted to con- 
structing formal theories intended to capture various schools of thought in the 
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foundations of mathematics. In particular, the project of Reverse Mathematics 
[ij has provided an extremely detailed analysis of many theories in the language 
of second-order arithmetic L. It has been argued that the theories studied corre- 
spond closely to different foundational schools; in particular, that the classical, 
predicative foundation presented by Hermann Weyl in his monograph Das Kon- 
tinuum is captured by the theory ACAq 

The systems of logic known as dependent type theories have also received a 
lot of attention, and in particular have proven to offer many practical benefits 
when used as the basis of the computer systems known as proof checkers or proof 
assistants. Type theories divide the world of mathematical objects into types. 
They offer much more expressive power than second-order arithmetic: we are 
able to speak, not just of natural numbers and sets of natural numbers, but also 
about (e.g.) sets of sets, lists, trees, and functions from any of these types to 
any of them. However, so far, type theories have been used almost exclusively 
to represent constructive mathematics. 

More recently, the concept of a logic- enriched type theory has been devel- 
oped. A logic-enriched type theory is a type theory augmented with a separate, 
primitive mechanism for forming and proving propositions. It thus has two 
components or 'worlds': a type-theoretic component, consisting of objects col- 
lected into types, and a logical component, for reasoning about these objects. 
LTTs have been used to investigate the relationships between type theories and 
set theories [1, Q , and by the present authors d, Q to formalise the predicative 
foundation for mathematics presented by Hermann Weyl in Das Kontinuum • 

There is reason to believe that LTTs may offer some of the advantages of both 
traditional logical systems, and type theories. They share with type theories the 
rich type structure and inbuilt notion of computation that have proven to be 
of great benefit for formalisation in practice. At the same time, they offer the 
flexibility in choice of axioms that we are used to in traditional logical systems: 
it is possible, for example, to add excluded middle to the logical component 
without changing the type-theoretic component. 

This paper is part of an ongoing research project to construct a hierarchy of 
LTTs, similar to the hierarchy of second-order systems in Reverse Mathematics. 
We hope thereby to investigate how LTTs may be used to represent different 
schools of thought in the foundations of mathematics, and to understand the 
effect that changes in the design of an LTT have on its set of definable objects 
and provable theorems. 

In this paper, we construct two LTTs that capture two second-order systems 
that are closely related to the foundation of Das Kontinuum: ACAq and ACA. 
We construct two LTTs, which we name LTTq and LTTq. These are more 
expressive than a second-order system: the type-theoretic component of each 
features types of natural numbers, pairs, functions of all orders, and sets of all 
orders. 

Our aim in this paper is to show that adding this expressive power is 'safe'; 
that is, that we have not thereby increased the proof-theoretic strength of the 
system. We do this as follows. Let us say that a proposition of LTTq is second- 
order iff it uses no types other than N (the type of natural numbers) and Set (N) 
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(the type of sets of natural numbers). We define a translation from ACAq 
onto the second-order propositions of LTTq, and prove that the translation is 
conservative] that is, a formula of L is provable in ACAq if and only if its 
translation is provable in LTTg. 

The current authors have previously 0, 0] presented a new system intended 
to capture Weyl's foundation, which we named LTTw- We argued there that 
LTTw captures Weyl's foundation very closely, and described how all the def- 
initions and results in Das Kontinuum have been formalised in LTT-yv using a 
proof assistant. The two LTTs that we construct in this paper are both subsys- 
tems of LTTw- As a consequence of the work in this paper, we now know that 
LTTw is strictly stronger than ACAq, and at least as strong as AC A. 

We argue that, compared with ACAq and ACA, LTTw corresponds more 
closely to the system presented in Das Kontinuum. This is not a claim that can 
be proven formally, as there is no formal definition of Weyl's foundation, but we 
can advance evidence for it. In our previous paper, we pointed out the extreme 
similarity between the presentation in Das Kontinuum and the definition of 
LTTw, a-nd described one construction in Das Kontinuum — the construction 
of K{n) — {X I X has at least n elements} — that cannot be done 'as directly' 
in any of the second order systems. Here, we strengthen the justification for 
this claim: we show that K is expressed by a term in LTTw that cannot be 
formed in either LTTq or LTTq. 

The majority of this paper is taken up with proving the conservativity re- 
sults. Our method for proving the conservativity of LTTq over ACAq is as 
follows. We first define a subsystem T2 of LTTq which has just two types, N 
and Set (N) . and show that LTTq is conservative over T2 . 

We then construct infinitely many subsystems of LTTq between T2 and 
LTTq. We prove that, for each of these subsystems S and T, whenever S is 
a subsystem of T, then T is conservative over S. We do this by defining an 
interpretation of the judgements of T in terms of the expressions of S. Infor- 
mally, we can think of this as giving a way of reading the judgements of T as 
statements about S. We show that this interpretation satisfies two properties: 

• Every derivable judgement of T is true. 

• Every judgement of S that is true is derivable in S. 

It follows that, if a judgement of S is derivable in T, then it is derivable in S. 

The proof thus makes use of an original technique which should be of interest 
in its own right, and which we expect to be applicable in a wide variety of 
contexts for proving one LTT or type theory conservative over another. In 
particular, we shall show how it can be adapted to provide a direct proof that 
ACAq is conservative over Peano Arithmetic. 

1.1. Outline 

In Section 2 of this paper, we describe the subsystems of second order arith- 
metic that we shall consider, and compare them informally with Weyl's system. 
In Section 3, we give the formal definition of LTTw and its two subsystems, 
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and define the translation from second order arithmetic into the LTTs. In Sec- 
tion 4, we prove that this translation is conservative in the case of ACAq and 
T2. In Section 5, we prove that LTTq is conservative over T2. Finally, in Sec- 
tion 6, we indicate how the proof can be modified to prove the conservativity 
of LTTg over AC A, and discuss the possibility of constructing a subsystem of 
LTTw conservative over ACAq , and the conservativity of ACAq over Peano 
Arithmetic. 

Notation. We shall stick to the following convention throughout this paper. 
Capital letters from the beginning of the Latin alphabet {A, B, C, . . . ) shall 
denote types. Capital letters from the middle {K, L, M, N, . . . ) shall denote 
terms. Capital letters from just after the middle {P, Q) shall denote names 
of small propositions. Lower-case letters (x, ?/, z, . . . ) shall denote variables, 
except t, which we reserve for terms of the language of second-order arithmetic. 
Lower-case letters from the middle of the Greek alphabet (0, ip, x, ■ ■ • ) shall 
denote propositions. 

We shall be dealing with partial functions throughout this paper. We write 
X ~ y to denote that the expression X is defined if and only if Y is defined, 
in which case they are equal. Given a function v, we write v[x :— a] for the 
function v' with domain domw U {x}, such that v'{x) = a, and v'{y) — v{y) for 
y ^ X. We write FV (X) for the set of free variables in the expression X. 

2. Background 

2.1. Weyl's Das Kontinuum 

In 1918, Herman Weyl wrote the monograph Das Kontinuum which 
presented a semi-formal system intended to provide a predicative foundation 
for mathematics. Weyl's system consists of a set of 'principles' by which sets, 
functions and propositions may be introduced. In particular, if we have formed 
the proposition (/), we may introduce the set {x \ 0}, provided that does not 
involve any quantification over sets. Impredicative definitions are thus impos- 
sible in Weyl's system. His concern was to show how much of mathematics 
— in particular, how much of analysis — could still be retained under such a 
restriction. 

At the time of writing Das Kontinuum in 1918, Weyl agreed with White- 
head and Russell's opinion 8] that the source of the famous paradoxes in set 
theory was the presence of impredicative definitions — definitions that involved 
a certain kind of vicious circle. In particular, when we introduce a set R with 
the definition 

R^{x I 0} (1) 

then the definition is impredicative if cither x or any of the bound variables in 
(p ranges over a collection that includes the set R itself. 

In Weyl's foundation, mathematical objects are divided into categories. A 
category can be basic or ideal. Given any category A, there is the ideal category 
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Set of sets whose members are objects of category A. In a definition of 
the form ([ij, we may only quantify over basic categories. In particular, we may 
not quantify over any category of the form Set (A) . It is in this manner that 
impredicative definitions are excluded. 

If we bar impredicative definitions, we are unable to define many objects, 
such as the least upper bound of a bounded set of reals. We must thus either 
find an alternative way to introduce these objects, or do without them. Russell 
and Whitehead chose the former course, with their Axiom of Reducibility. The 
monograph Das Kontinuum was Weyl's attempt to follow the latter course: to 
show how much of classical mathematics could be preserved while excluding 
impredicative definitions. 

2.2. Subsystems of Second Order Arithmetic 

We are concerned in this paper with two subsystems of second order arith- 
metic, ACAo and ACA. The letters ACA stand for 'arithmetical comprehension 
axiom'. The system ACAq is investigated in great detail in Simpson These 
two systems are theories in the language of second order arithmetic, a language 
for describing natural numbers and sets of natural numbers. We now introduce 
this language formally. 

Definition 2.1 (Language of Second Order Arithmetic). The language 
of second order arithmetic L is defined as follows. 

There are two countably infinite, disjoint sets of variables: the number vari- 
ables x, y, z, . . . , intended to range over natural numbers; and the set variables 
X , Y , Z , . . . , intended to range over sets of natural numbers. 

The terms and propositions of second order arithmetic are given by the 
following grammar: 

Term t ::= x\0\St\t + t\t-t 

Proposition ::= t = t \ t e X \ ± \ (j) D (/} \ Vx0 | VX^ 

We define A, V, o and 3 in terms of _L, D and V as usual. 

A proposition is arithmetic iff no set quantifier \/X occurs within it. 

2.2.1. ACAo 

The system ACAq has been very well studied. In particular, it has played 
a major role in the project of Reverse Mathematics It has often been 
argued that ACAq is closely related to Weyl's foundation; for example, Feferman 
3| calls it 'a modern formulation of Weyl's system', and Brown and Simpson 
9[ write 'ACAq isolates the same portion of mathematical practice which was 
identified as 'predicative analysis' by Herman Weyl in his famous monograph 
Das Kontinuum'. 

It is known that ACAo is conservative over Pcano Arithmetic (PA) ; a model- 
theoretic proof is given in Simpson [l] , and a proof-theoretic proof can be given 
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along the lines of Shoenfield [l^l ■ A novel proof of this result shall be given in 
Section [O] 

The axioms of ACAq are as follows: 

• The Peano axioms — the axioms of Peano Arithmetic, minus the induction 
axioms: 

Sx = Sy D X = y 

X + = X 
X + Sy = S{x + y) 

x-0 = 
X - Sy — X ■ y + X 

• The arithmetical comprehension axiom schema: for every arithmetic 
proposition (j) in which X does not occur free, 3X\/x{x G X o 0). 

• The set induction axiom: e X D Va;(a; £ X D Sx e X) D \/x.x £ X. 
2.2.2. AC A 

The system ACA is formed by extending ACAq with the full induction axiom 
schema: for every proposition 0, 

[0/x](j) D yx{(j) D [Sx/x](j)) D Va;0 . 

An argument could be made for ACA being a better representation of the foun- 
dation in Das Kontinuum than ACAg, because — as we shall argue in Section 
12.31 — Weyl makes use of an induction principle that is stronger than that of 
ACAo. 

The system ACA has not been studied in the literature as much as ACAq. 
A few facts about ACA are known: its proof-theoretic ordinal is e^o , and it can 



prove the consistency of ACAq. See for the proof of these results and an 
analysis of the set of models of ACA. 

2.3. Das Kontinuum and Subsystems of Second Order Arithmetic Compared 
There has been quite some argument over how well Weyl's foundation is 



captured by a subsystem of second order arithmetic. Feferman has argued 
strongly in favour of ACAq, or a system very like it, being a modern formulation 
of Weyl's system. 

This argument cannot be settled formally, as Weyl did not give a formal 
definition of his system. However, in the authors' view, Weyl's system exceeds 
both ACAq and ACA, for the following reasons: 

1. Weyl intended his system to be more than second order. He allowed the 
category Set {B) to be formed for any category B, basic or ideal. Thus, 
for example, we can form the categories Set (Set (N)), Set (Set (Set (N))), 
and so forth. 
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2. Weyl intended the principle of induction to apply to all propositions, arith- 
metic or not. 

We justify this by showing a place where Weyl explicitly defines a function 
of category Set (Set (A)) — )• Set (Set {A)), and three places where he proves a 
non-arithmetic proposition by induction. 

The former occurs [l^, p. 39] with the definition of the cardinality of a set. 
Weyl defines a function d : Set (Set (A)) Set (Set (A)) by 

d{£r) ^ {x\3xe x.x \ {x} e sr} . 

This function is then iterated, to form the function 

d'"{£^) — {X I n elements may be removed from X to form an element of 
Weyl goes on to argue that d"'{'W) denotes the set of all sets with at least n 
elements (where ^ is the set of all subsets of A). He defines the proposition 
a{n,X), 'X has at least n elements', by 

ain,X) = X e d'^i'^) 



Various results about this definition are later proved 13|, p. 55], such as: 



If X has at least n + 1 elements, then X has at least n elements. 

This is not an arithmetic proposition (it involves quantification over X), but it 
is proven by induction on n. 

Similarly, the non-arithmetic proposition 'If X is a subset of E and X con- 
sists of at least n elements, then E also consists of at least n elements' [l^, p . 5 6] 
is proven by induction, as is the lemma concerning substitution of elements [13l 
p. 56]: 'If a new object [. . .] is substituted for one of the elements of a set X 
which consists of at least n elements [...], then the modified set X* also consists 
of at least n elements.' 

Thus, Weyl's method of defining a{n, X) involves third-order sets; the appli- 
cation of the Principle of Iteration to third-order sets; and proof by induction 
of a proposition that quantifies over sets. These are all expressed by primitive 
constructs in LTTw, but not in LTTo or LTTq (we discuss this point further in 
Section [X^. 

When we have proven the conservativity of LTTq and LTTq over ACAq and 
ACA respectively, we will have justified our claim that Weyl's system is stronger 
than ACAq; and, if our conjecture that LTT-w is stronger than LTTq is correct, 
that Weyl's system is stronger than ACA. 



3. Logic-Enriched Type Theories 

In this section, we introduce the logic-enriched type theory LTTw ^^^d the 
two subsystems with which we are concerned. 

Logic-enriched type theories (LTTs) were introduced by Aczel and Gambino 
to study the relationship between type theories and set theories. An LTT is 
a formal system consisting of two parts: the type-theory component, which deals 
with terms and types; and the logical component, which deals with propositions. 
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3.1. LTTw 

The system LTTw is a logic-enriched type theory designed to represent the 
mathematical foundation given in Das Kontinuum. It was introduced in Adams 
and Luo 0,11. 

3.1.1. Type- Theoretic Component 

Its type-theoretic component has the following types. 

• There is a type N of natural numbers. is a natural number; and, for any 
natural number iV, the successor of N , s iV, is a natural number. 

• For any types A and _B, we may form the type Ay. B. Its terms are pairs 
{M,N)a-/.b consisting of a term M of A and a term N of B. For any 
term M : Ax B, we can construct the term nf^^lM) denoting its first 
component, and the term 7r^^^(Af) denoting its second component. 

• For any types A and B, we may form the type A — > B of functions from 
A to B. Its terms have the form Ax : A.M : B, denoting the function 
which, given TV : A, returns the term [N/x]M : B. Given M : A ^ B and 
N : A, we may construct the term M{N)a^b to denote the value of the 
function M when applied to N. 

• For any type A, we may form the type Set (A) of sets of terms of A. Its 
terms have the form {cc : A | P}, where P is a name of a small proposition, 
denoting the set of all M : ^ for which the proposition named by [M/x]P 
is true. 

We divide the types into small and large types, reflecting Weyl's division of 
categories into basic and ideal categories. When we introduce a set {cc : A | P}, 
the proposition P may quantify over the small types, but not over the large 
types. The small types are defined inductively by: 

• N is a small type. 

• HA and B are small types, then A x B is a small type. 

We effect this division by introducing a type universe U, whose terms are 
names of the small types. There is a term N : U which is the name of N; and, 
ii M : U names A and N : U names B, then there is a term MxN : U that 
names A x B. We write T{M) for the type named by M . 

We can also eliminate N over any family of types; that is, if A[x\ is a type 
depending on x : N, we can define by recursion a function / such that f{x) : A[x\ 
for all X : N. The term 



is intended to denote the value f{N), where / is the function defined by recursion 



En{[x]A,L, [x,y]M,N) 



thus: 



/(o) 

f{n + 1) 



= L 



[n/x]A 



[n/xJ{n)/y]M 



for all n : N 
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Remark. We choose to label the terms 



.AxB 



.AxB 



(M), Aa; : A.M : B and M{N)Ay B 



with the types A and B. This is for technical reasons only; it makes the inter- 
pretations we introduce in Section [5] easier to define. We shall often omit these 
labels when writing terms. We shall also often write MN for M{N). 

3.1.2. Logical Component 

The logical component of LTT-yv contains propositions built up as follows: 

• If M and N are objects of the small type T{L), then M =l is a 
proposition. 

• _L is a proposition. 

• If and ip are propositions, then (j) D ip is a proposition. 

• If ^ is a type and </> a proposition, then Va; : A.(j) is a proposition. 
We define the other logical connectives as follows: 



We call a proposition small iff, for every quantifier Vx : A that occurs in (j), 
the type A is a small type. We wish it to be the case that, when we introduce a 
set of type Set (A) , the proposition we use to do so must be a small proposition. 

We achieve this by introducing a propositional universe 'prop', which will 
be the collection of names of the small propositions. We shall introduce a new 
judgement form T h P prop, denoting that P is the name of a small proposition, 
and rules that guarantee: 

• If M and N are objects of the small type T{L), then M=lN is the name 
of M =L ^■ 

• _L is the name of -L. 

• If P names <j) and Q names then PZ}Q is the name of D V"- 

• If M : U names the small type A and P names </>, then Vx : M.P names 



We denote by V{P) the small proposition named by P. We shall, in the sequel, 
often write just 'small proposition' when we should strictly write 'name of small 
proposition'. 

We use 'expression' to mean a type, term, small proposition or proposition. 
We identify expressions up to a-conversion. We denote by [M/x]X the result 
of substituting the term M for the variable x in the expression X, avoiding 
variable capture. 



o V' 



-iV.T : A.-icj) 



3x : A.4) 



\Jx : A.cj). 
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3.1.3. Judgements and Rules of Deduction 

A context in LTT-yv has the form xi : Ai, . . . , a;„ : An, where the XiS are 
distinct variables and each Ai is a type. There are ten judgement forms in 
LTTw: 

• r h vahd, denoting that F is a vahd context. 

• r h j4 type, denoting that A is a well-formed type under the context T. 

• r h A = B, denoting that A and B are equal types. 

• r h M : A, denoting that M is a term of type A. 

• r \- M — N : A, denoting that M and N are equal terms of type A. 

• r h P prop, denoting that P is a well-formed name of a small proposition. 

• r h P = Q, denoting that P and Q are equal names of small propositions. 

• r h Prop, denoting that (f> is a well-formed proposition. 

• T h (f> = ^p, denoting that and are equal propositions. 

• r h ■(/;, denoting that the propositions (jfi, . . . , entail the 
proposition ip. 

The rules of deduction of LTT-yv are given in full in Appendix |Appendix A.Tj 
They consist of the introduction, elimination and computation rules for the 
types of LTTw, the rules for classical predicate logic, and the following rule for 
performing induction over N: 

r, a; : N h </> Prop F h : N 

(IndN) rh$^[O/a;]0 F, x : N h ^ [s 
F h $ ^ [N/x](l) 

3.2. LTTo and LTTq 

We now construct two subsystems of LTTw , which we shall call LTTq and 
LTTq, that correspond to ACAq and AC A respectively. These subsystems are 
formed by changing: 

• the class of types over which N may be eliminated (that is, the class of 
types A that may occur in EN([a;] A, L, [x, y]M, N); 

• the class of propositions that may be proved by induction (that is, the 
class of propositions (f> that may occur in an instance of (IndN)). 

In LTTw, we may eliminate N over any type, and any proposition may be 
proved by induction. We form our three subsystems by weakening these two 
classes, as shown in Table [T] 
This is achieved as follows. 
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Types over which Propositions provable by induction 



N may be eliminated 



LTTw 


all 


all 


LTTo 


small types 


small propositions 


LTTS 


small types 


propositions involving quantification 






over small types and Set (N) 




Table 1: 


Subsystems of LTTw 



1. We construct LTTq by modifying LTTw as follows. 

• Whenever a term En([x]v4, L, [x, y]M, N) is formed, then A must have 
the form T{K). 

• Whenever an instance of the rule (IndN) is used, the proposition (j> 
must have the form V{P). 

• Whenever an instance of the rule (subst), (etax) or (eta_i.) is used, 
the proposition (f> must not contain a quantifier Vx : A over any type 
A that contains the symbol U. 

• We also add as an axiom that SM ^ for M : N. 

2. Let us say that a proposition (f) is analytic iff, for every quantifier : Am 
0, A either has the form T{M) or A = Set (N). We construct LTTg from 
LTTo by allowing (IndN) to be used whenever (f) is an analytic proposition. 

The formal definitions of both these systems are given in Appendices |Appendix A."2 
and I Appendix A . 3 1 

Remarks. 

1. Peano's fourth axiom, that SM for any M : N, is provable in LTTw; 
see ^ for a proof. It is not provable in LTTo or LTTq . This can be shown 
by a similar method to Smith [l^ by constructing a model of LTTq in 
which every small type is interpreted by a set that has exactly one element. 

2. We can now justify further our claim in Section [231 that Weyl's definition 
of a{n,X) uses the primitive concepts of LTTw that are not present in 
either LTTo or LTT*. 

The definitions of d and a are straightforward to formalise in LTTw- Given 
M : U, we have 

dm = : Set(Set(r(Af))). 

{X : Set (T(M)) | 3x : M.{x£X AX\ {xjG^^)} 
ttM = An : N.AA: : Set (r(M)) . 

X e EN(HSet (Set (r(M))) , ^, [x, Y]dM{Y),n) 

This is not a term in either of the subsystems of LTTw, it involves 
applying En to the type Set (Set (T(M))). 
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3. The universe U contains only the types that can be built up from N and 
X. Its inclusion in LTTq or LTTq therefore does not increase the proof- 
theoretic strength of the system (this will be proven in Section 1^751) . This 
is a rare situation; in general, the inclusion of a universe raises the strength 
of a type theory considerably (see for example [TBI)- We conjecture that, 
if we closed U under — )■ or Set ( ) in LTTq or LTTq , the resulting system 
would not be conservative over ACAq or ACA respectively. 

4. In Aczel and Gambino's original formulation of LTTs [1, Hj, the logical 
component of an LTT could depend on the type theoretic component, but 
not vice versa. We have broken that restriction with the inclusion of typed 
sets: a canonical object of Set (A) has the form {x : A \ P} and thus 
depends on a small proposition P. 



3.3. Embedding Second Order Systems in Logic- Enriched Type Theories 

There is a translation that can naturally be defined from the language of 
second order arithmetic L into LTTq. We map the terms of L to terms of type 
N, first order quantifiers to quantifiers over N, and second order quantifiers to 
quantifiers over Set (N). 

Definition 3.1. We define 

• for every term i of L, a term of LTTw; 

• for every arithmetic formula </) of L, a small proposition |</>| of LTTw; 

• for every formula of L, a proposition of LTTw- 

m = 

\s + t\ = \s^ plus \t\ 
\s ■ t\) = /\s\) times i\t\) 



It ex, I = m&n^^ 



where 



AfplusiV = Eni[x]T{N),M,[x,y]sy,N) 

M times N = Em([x]T{N),0, [x,y]y plus M,N) 

It is straightforward to show that this translation is sound, in the following 
sense: 



12 



Theorem 3.2 Let T he the context xi : N, . . . , a:„j : N, : Set (N) , . . . , X„ : 
Sct(N). Let¥Y{t) C {xi, . . . , a;„J, and FV (0) C . . . , x™, Xi, . . . , X„}. 

1. r h : N and T h Prop. 

2. // is arithmetic, then T h prop and F h — (|0[>. 

3. // ACAo h t/ien F m LTTq. 

4. // ACA h 0, t/ien F m LTTg. 

Proof. Parts 1 and 2 are proven straightforwardly by induction on t and (/>. 

For part 3, it is sufficient to prove the case where 4) is an axiom of ACAp. 
The case of the Peano axioms is straightforward. 

For the arithmetical comprehension axiom schema, let (j) be an arithmetic 
formula in which X does not occur free. We have 

F h ^\jx ■.n{V{\(j>\) ^ l\4>\j) (using parti) 

.-.F h ^ Vx : N(a; e {x : N I 101} ^ ^01)) 
.-.F h ^ 3X : Set(N).Vx : N(x e X o ^01)) 

as required. 

The set induction axiom is shown to be provable using (Indpi). 

For part 4, it is sufficient to show that every instance of the full induction 
axiom schema is provable in LTTq. This is easy to do using (IndN), as (|(/)[> is 
always an analytic proposition. 

Corollary 3.2.1 LTTw is strictly stronger than ACAq. In fact, LTTw can 
prove the consistency of ACAq . 

Proof. As ACAq is conservative over Peano Arithmetic [Ij, its proof-theoretic 



ordinal is eq. The proof-theoretic ordinal of ACA is [ll|,ll6[. Therefore, ACA 
can prove the consistency of ACAq; hence, so can LTTq; hence, so can LTTw- 

Our aim in this paper is to prove the converse to Theorem 13.21 parts [3] and 
H that, whenever F l-=> (|0^ in LTTq or LTTq, then is provable in the 
corresponding subsystem of second order arithmetic. 



4. Conservativity of T2 over ACAq 

We shall now define the system T2, which is a subsystem of LTTq. We can 
think of T2 as the second order fragment of LTTq; that is, the part of LTTq 
that has just the two types N and Set (N). 

The translation {| \j given in the previous section is in fact a sound transla- 
tion of ACAq into T2. In this section, we shall prove that this translation is 
conservative; that is, if is provable in T2, then is a theorem of ACAq. 



The syntax of T2 is 


given 


by the following grammar 




Type 


A : 


= N 1 Set (N) 




Term 


M : 


X 1 1 s A/ 1 R(A/, [x, x] Af, M) 


{x:N\P} 


Small Proposition 


P : 


= M=nM 1 1 1 P5P I Vx : N.P 


M Gn Af 


Proposition 


: 


= M ^fi M \ (j)\yx : A.4 


' 1 v^(^) 
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r,x:NhPProp T, 2; : N h P = Q 



ThVx: N.P Prop T h (Va; : N.P) = {Vx.N.Q) 
r, X : N h P Prop 
r h V(ix : N.P) = Vx : N.F(P) 

Figure 1: Rules of Deduction for Small Universal Quantification in T2 

r h valid F h valid P h M : N P h M = M' : N 



Fh N type FhO:N FhsAf:N FhsM = sM':N 

FhP:N rhP = L':N 

F, x : N, y : N h Af : N F, x : N, y : N h A/ A-/' : N 

PhA^:N Fh7V = 7V':N 



F h R(P, [x, 2;]Af , N):N F h R(L, [x, y]A//, N) = R(L', [x, ?/]Af', N') : N 



F h L : N 

FhP:N F,x : N,?/ : N h Af : N 

F,x:N,2/:NhA^:N T^N-.N 



F h R(L, [x, y]A4", 0) = L : N F h R(P, [x, y]M, s N) 

= [N/xML,[^MM,N)/y]M -.n 

F, X : N h P Prop F h iV : N 

(IndN) P K $ ^ Vil'^/AP) r h V{P) ^ V^([sx/x]P) 
F h $ ^ V{[Nlx\P) 

Figure 2: Rules of Deduction for Natural Numbers in T2 

The rules of deduction of T2 are: 



1. the structural rules for LTTs as given in Appendix [Appendix A.1.1 



2. the rules for predicate logic as given in Appendix [Appendix A . iTT] 

3. the rules for the propositional universe as given in Appendix [ Appendix A.1.8[ 
with the rules for universal quantification replaced with the rules in Figure 

m 

4. the rules for equality given in Appendix [Appendix A. 1.9 restricted to 
the type N; 

5. the rules for sets given in Appendix [Appendix A.1.5[ restricted to the 
type N; 

6. the rules for natural numbers given in Figure O 

Note. T2 does not contain the universe U . The symbol N therefore is not a 
term in T2 , and cannot occur on its own, but only as part of a small proposition 
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Va; : N.P. 

In LTTq, we could define functions by recursion into any small type; in T2, 
we can only define by recursion functions from N to N. This is achieved by the 
constructor R. The term R(L, [x, y]M, N) is intended to denote the value f{N), 
where / : N ^ N is defined by recursion thus: 

/(O) - L 

f{n+l) = [n/xJ{n)/y]M 

The system T2 may be considered a subsystem of LTTq if we identify 
R{L,[x,y]M,N) with Efi{[x]N, L,[x,y]M, N); M =n ^ with M N; and 
M=fqN with M^-^N. 

The translation given in Section 13.31 is a sound translation from AC Aq into 

T2. 

Theorem 4.1 Let T and (j) be as in TheoremlKM //ACAq h 4>, then T 
in T2. 

Proof. Similar to the proof of Theorem l3.2r 3). 

We now wish to show that the converse holds. 

We shall do this by defining the following translation $ from T2 to ACAq. 

Let 

r = xi : N, . . . , x„ : N, Xi : Set (N) , . . . , A:„ : Set (N) . 
We shall define: 

1. whenever F h M : N, an arithmetic formula f— M~' such that 

ACAo h 3\x.x'~= Ar . 

The intention is that M is interpreted as the unique number x for which 
X '~— is true. 

2. whenever F h Af : Set (N), an arithmetic formula A'l^ such that 

ACAo h 3Xyx{x eX ^ x^e NH) , 

The intention is that M is interpreted as the unique set X whose members 
are the numbers x such that x '~G M"' is true. 

3. for every small proposition P such that F h P prop, an arithmetic formula 

4. for every proposition cf) such that F h Prop, a formula ^(jp. 
The definition is given in Figure [3l 
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Numbers. 



t^=0^ = t = 

t^=sM^ = 3x{x^= At = Sx) 

t^=R{L,[u,v]M,Ny = 3n3s G Se<i{n^= A {n,t) G s 

Av;((o,/) G s D r= L^) 

A\/u\/z{{Su, z) GsD 3v{{u, v) esAz^= M"'))) 



Sets. 



feix-.NlPy = [t/x]'~P^ 



Small Propositions. 



Propositions. 



^M=NiV^ = 3x{x ^=M^Ax ^= N^) 

^l"! = ± 

^PdQ"' = ^P^ D ^Q^ 

^\fx:N.P~' = Va;'"p-| 

^MSnA^"' = 3x{x^= Ax'~G N^) 



^M=fiN-^ = 3x{x^=M^ Ax^=N^) 

^r^ = ± 

^VX : Set (N) .(/)^ = VXr^-i 

Figure 3: Interpretation of T2 in ACAq 
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Remark. To interpret a term of the form 'R{L,[u,v]M, N), we make use of 
a standard technique for defining functions by recursion in ACAq. We are 
assuming we have defined in ACAq a pairing function (to, n) on the natural 
numbers, and a coding of finite sequences of numbers as numbers, with Seq 
the set of all codes of sequences, and the formula n € s expressing that n is a 
member of the sequence coded by s. (For more details, see [l|, II. 3].) 

Speaking informally, the formula t '~= R{L, [u, v]M, TV)"' expresses that {N, t) 
is a member of a sequence s, and that the members of this sequence s must be 

(0,R(L,[u,t;]M,0)), (1,R(L,[m,«]M,1)), (fc, i?(L, [u, t;]M, A:)) 

up to some k, in some order. It follows that t = R(i, [u, v\M, N). 

The following theorem shows that the translation in Figure [3] is sound. 

Theorem 4.2 (Soundness) 1. //F h M : N then ACAq h 3\x.x^= IVH. 

2. // F h Af = M' : N then ACAq h 3x{x ^= Ax^^M'^). 

3. //F h M : Set (N) i/ien ACAq h 3\Xyx{x e X ^ x^e Nr). 

4. // F h A/ = iV : Set (N) t/ien ACAq h Vx(a; A/^ ^ a; A^^) . 

5. IfTh P = Q then ACAq h '~P^ ^ ^Q^. 

6. //F h = V then ACAq h o 

7. //F h 01, ...,(/)„ =^ V ^/len ACAq h D • • • D ^(/)„^ D ^^p^. 
Proof. We need the following two results first. 

1. For any term M such that x,y ^ FV (A/), 

ACAo h x^^ ]Vr D y^^ A-r D X = y . 

This is proven by induction on M. 

2. Given a term N such that x ^ FV (A^), the following are all theorems of 



These are proven by induction on M, P or (/). Formulas dS])-® must be 
proven simultaneously. 

The seven parts of the theorem are now proven simultaneously by induction on 
derivations. We deal with one case here: the rule 



ACAq: 



x^^N^Z) {y ^= [N/x]Ar o y ^= hr) 
x^^ N^D (y^e [N/x]Ar ^y^e AH) 
Va;(.T e A x^e A^^) D (y^e [A/A]Af^ ^ y^e M^) 
x^=N^D {^[N/x]P^ O ^P^) 
Wx{x e A o x^e A^) D {^[N/X]P^ o ^P^) 

x'~=N^D {'~[N/x](l)'^ O ^0^) 
Va;(a; e X ^ x^e N^) D (^[A^/x]0^ O ^(/)^) 



(2) 

(3) 
(4) 
(5) 
(6) 
(7) 
(8) 



F h L : N F, u : N, w : N h Af : N 

F h A^ : N 



F h R{L, [u,v]M,sN) = [A^/'u,R(L, [u,v]M, N)/v]M : N 
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We reason in ACAq. By the induction hypothesis, there exist I and n such that 
r= L^, n^= N^. Further, 

\fu\fv3m.m '~— . 

The following formula can be proven by induction on z: 

\tz3w3s G Seq((z,u') G s 

AV/((0,0 G s D r=L^) 

A VuVz((Sw, z) e s D u) e s A z M"'))) 

Now, let n be the unique number such that n'~= N~^. There exist m, p such 
that {n,m) and (Sn,p) are members of such a sequence s. It follows that 

R(L, [m,w]M, sn)"', to'"= R(L, [u, wjM, n)"', [n/u, m/u](p'"= M^) . 

Hence, by ([2]), we have 

p^=R(L, [u,i;]Af,sAr)^, [N /u,K{L,[u,v]M, N) lv]A.r 

as required. 

Conservativity shall follow from the following theorem, which states that the 
mapping is a left- inverse to the mapping (| ^ from ACAq to T2, up to logical 
equivalence. 

Theorem 4.3 

1. For every term t 0/ ACAq, we have ACAq h (|t[>~'- 

2. For every arithmetic proposition (j) 0/ ACAq, we have ACAq h 

3. For every proposition (p 0/ ACAq, we have ACAq '~(\(f)\j^. 

Proof. The proof of each of these statements is a straightforward induction. 
We deal with one case here: the case t = ti + t^- We reason in ACAq. The 
induction hypothesis gives 

and we must show ti + t2 '"= plus (|t2^~', i.e. 

3n3r e Seq(7i'"= {|i2r A (n, <i + ia) e r 
AW((0,/)GrDr= ^ij^) 
A Va;Vz((Sa;, z) G r D 3j/((a;, y) € r A z = Sy))) 

We prove the following by induction on b: 

Va, b3r G Seq((6, a + 6) G r 

AVZ((0,0 erZ)l = a) 

A Vx, z((Sa;, z) G r D 3y{{x, y) £ r f\ z — Sy))) 
The desired proposition follows by instantiating a with <i and 6 with t2. 
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Corollary 4.3.1 (Conservativity of T2 over ACAq) For any formula cj) of 
ACAo, ifT\~=^ in T2, then ACAq h <j). 

Proof. By the Soundness Theorem, we have that ACAq h ^d^P- By Theorem 
14:31 we have ACAq h o Therefore, ACAq h (/>. 

5. Conservativity of LTTq over ACAq 

In this section, we shall prove that LTTq is conservative over T2. This shall 
complete the proof that LTTq is conservative over ACAq . 

We shall do this by defining a number of subsystems of LTTq as shown in 
the diagram: 

T2 T„ T^U ^ LTTo . 

For each of these inclusions A ^ B, we shall prove that A is a conservative 
subsystem of B; that is, for every judgement J in the language of A, if J is 
derivable in B then is derivable in A. This shall sometimes involve con- 
structing yet more subsystems in between A and B, and proving that all these 
inclusions are conservative. 

Intuitively, each subsystem deals with a subset of the types of LTTq. 

• T2 has only two types, N and Set (N). 

• The types of T^^ are all the types that can be built up from N using x , — >• 
and Set (). 

• The types of T^jU are the types of T;^, together with the universe U. (The 
constructors x, — >■ and Set () may not be applied to U in Ti^U.) 

The formal definitions of these systems shall be given in the sections to come. 

5.1. Digression — Informal Explanation of Proof Technique 

Before proceeding with the technical details of the proof, we shall explain 
the informal ideas behind the technique we use to prove LTTq conservative over 
T2. The system LTTq is formed from T2 by adding products, function types, 
types of sets, and the universe U. Intuitively, none of these should increase the 
power of the system. 

We can see this most clearly in the case of products. Speaking generally, 
let S be any type system, and let T be formed by adding product types to S. 
Then T should have no more expressive power than S, because we can envisage 
a translation from T to S: 

• wherever a variable z : A x B occurs, replace it with two variables 
X : A,y : B; 

• wherever a term of type A x B occurs, replace it with two terms, one of 
type A and one of type B. 
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As long as the only way of introducing terms of type ^ x B is the constructor 
( , ), we should always be able to find the two S'-terms of types A and B that 
correspond to any T-term of type ^4x5. (This would however not be possible 
if (say) we could eliminate N over A x B inT.) 
In brief: 

• the terms of type Ax B can be interpreted as pairs (M, N) where M : A 
and N : B. 

Similarly, 

• the terms of type A ^ B can be interpreted as pairs {x, M) 
where x : A\- M : B; 

• the terms of type Set {A) can be interpreted as pairs {x, P) 
where x : A\- P prop. 

Our proof relies on making these intuitive ideas formal. 

These ideas show us how we might be able to remove types A ^ B that 
involve only one use of the arrow, but they do not show us how to handle types 
of the form {A ^ B) ^ C. Let us take another example: let S' be a typing 
system without function types, and let T be formed from S by adding function 
types. Let us define the depth of a type A, d{A) by: 

• the depth of each type in S* is 0; 

• d{A -^B)= max(d(^),d(B)) + 1. 

Then we have seen how to interpret types of depth 1 in terms of types of depth 
0. More generally, we can interpret types of depth n + 1 in terms of types of 
depth n. 

This shows us how to complete the proof. We introduce an infinite sequence 
of subsystems of T: 

S = Ao ^ Ai ^ A2 ^ ■ ■ - T 

where, in Am only types of depth < n may occur. We build an interpretation 
of An+\ out of the terms of An- every type of An is interpreted as itself; the 
types A — > S of depth n + 1 are interpreted as the set of pairs {x, M) where 
X : A'r M : B \\Y An- 

Using these interpretations, we can prove each An+\ conservative over An-, 
and hence T conservative over S. With these intuitive ideas to guide us, we 
return to the proof development. 

5.2. Tt^, is Conservative over T2 

We shall now define the system T„ to be T2 extended with pairs, functions 
and sets over all types, and prove that T^^ is conservative over T2. 
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Definition 5.1 (T^). The LTT T„ is defined as follows. 
The grammar of T^^ is the grammar of T2 extended with 

Type A ::= ■ ■ ■ \ Ax A \ A ^ A\Sei{A) 

Term M ::= • ■ • | (M, M)axA | Trf ^^(M) | irf'^^iM) \ 

Xx : A.M : A \ M{M)a^a \ {x : A \ P} 
SmaU Proposition P ::= ■■■\MeAM 

The rules of deduction of T;^ are the rules of deduction of T2, together with the 

rules for pairs (Appendix |Appendix A. 1 .3 ) , function types (Appendix |Appendix A.1.4[ ) 

and typed sets (Appendix [Appendix A.Esj ). 

Note that the type-theory component T^ is non-dependent: a term can never 
occur in a type. As a consequence, we have 

Lemma 5.2 IfTh A = B in T^ then A = B. 

Proof. Induction on derivations. 

To prove that T^^ is conservative over T2 , we shall define an infinite sequence 
of subsystems of T;^, and prove that each is conservative over the previous 
subsystem, and that the smallest is conservative over T2. 

T2 ^1 ^2 • ■ • 

We define the depth of a type of T^^ as follows. 

Definition 5.3. Define the depth d{A) < w of a type A of T,^ by 

d{n) ^ 

d{AxB) = max(d(A),d(B)) + 1 

d{A B) = max{d{A),d{B)) + 1 

d(Set(N)) = 

d(Set(A)) = d{A) + l (A^N) 



Note that the types of T2 are exactly the types of depth 0. 
For n > 1, we shall define An to be the fragment of T-^ that deals only with 
types of depth < n. 

Definition 5.4 (An)- Let n > 0. By a type (term, small proposition, propo- 
sition, context, judgement) of An, we mean a type (term, small proposition, 
proposition, context, judgement) of T^^ that does not contain, as a subexpres- 
sion, any type of depth > n. 

We say a judgement J of An is derivable in An iff there exists a derivation 
of e7 in Ti^ consisting solely of judgements of that is, a derivation of J' in 
which no type of depth > n occurs. We write P h„ J iff the judgement T \- J 
is derivable in An- 
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Note that the types of An are exactly the types of depth < n. Note also that 
Ao is just the system T2. 

We shall prove that An+i is conservative over An- The proof shall involve 

defining an interpretation of An+i in terms of the expressions of An- For the 
rest of this section, fix n > 0, and fix a context A of An such that A h„ valid. 

Definition 5.5 (Interpretation of Types). For the purposes of this defini- 
tion, an 'object' is either a term of An, or a pair of terms of An- 

For every type A of An+i, we define the set of objects [^4]^, and an equiv- 
alence relation on this set, as follows. 

If d{A) < n, then 

1^1^ = {M\AhnM:A} 

M --±N Ahn M = N : A 

Otherwise, 

{{M, N) \ A hn M : A, A h„ TV : B} 
Ahn M = M' : AAA^n N = N' : B 

{{x,M) I A,x : A\-n M : B} 
A,x ■- A\-n M = M' : B 

{(x,P) I A,.T ; A h„ P prop} 
A,x:A\-nP = P' 

We identify the elements of {A — > BJ^ and |Set (A)]^ up to a-conversion; that 
is, we identify {x,M) with (y, [y/x]M) if y is not free in M. 

We define the operations Hi, 112 and @ on these objects as follows. 

ni((M,iV)) = M 

n2{{M,N)) = N 

{x,M)@N = [N/x]M 

{x,P)@N = [N/x]P 

ni(X) and 112 (X) are undefined if X is not a pair. X@Y is undefined if X does 
not have the form {x, Z), or if Y is not a term. 

The intention is that we will interpret the terms of type A as members of the 
set 1^]^, with equal terms being interpreted as ~^-equivalent members 

Definition 5.6 (Valuation). Let F = a;i : Ai,...,x„ : An be a context of 

An+i- A A-valuation of F is a function v on {xi, . . . , x„} such that 

v{xi) € {Ai}^ {i = l,...,n) . 



lA X Bj^ 

{M,N) r.^""^ {M',N') <^ 
{A ^ B}^ 

{x,M) r^t^'' {x,M') ^ 

[Set(A)l^ 
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Definition 5.7 (Interpretation of Terms). Given a term M of An+i and 
a function v whose domain includes FV(M), we define tlie object (|MD^ as 
follows. 

i\xr = v{x) 

dor = 

dsM^ ^ sdMD" 

(\R{L,[x,y]M,N)r ^ i?(dir, [^,2/]d^r'"="'^^="', d^D 

U(\Mr,(\Nr)AxB iid{AxB)<n 
\(dM|rj7Vr) ifrf(^xB)=n + l 

jTr^''^{(\M\)'') ifd{AxB)<n 
~ [ni(^Mr) ifd{AxB) = n+l 



i\{-K, [Mm _ jn^CdMr) ifrf(AxB)=n + l 



dAa: : A.M : 
d{a; : A I PW 



jXx : A.dMr[^^=^l : B iid{A^B)<n 
|(a;,dM|)''[^^=^]) if d(A ^> B) = n + 1 

[dM^Od-^^r iid{A^B)=n+l 
( {x : A \ (\P\)''^''--=='^ if rf(Set (A)) < n 
[(a;,dPr''^^"'^') if rf(Set (A)) = n + 1 



Note that this is a partial definition; d-^D^i will sometimes be undefined. 

Definition 5.8 (Interpretation of Small Propositions). If P is a small 
.4.„+i-proposition, we define the small proposition d-PD" of An- 

(\M=nNf ~ d^r=Nd^r 
dir = i 



^7Vr@d^r iid{A) = n+l 



Definition 5.9 (Depth of a Proposition). We define the depth of a propo- 
sition (j), d{4>), to be 



d{<j>) = 



if (t!) is quantifier-free 

ina.x{d{A) \ (j) contains a quantifier Va; : A} otherwise 
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Definition 5.10 (Interpretation of Propositions). If (f) is 

an -proposition of depth < n, wc define the ^„-proposition d as fohows 

l\V{PW - Vim 

We have defined a sound interpretation of all the judgement forms of An+i 
except one: the judgement form F h $ To interpret these judgements, 

we shall define a notion of satisfaction. Intuitively, we define what it is for a 
proposition (p of An+i to be 'true' under a context A, valuation v and sequence 
of propositions $ of An- 

Definition 5.11 (Satisfaction). Let $ = (^i be a sequence of proposi- 
tions of An such that A l-„ (pi Prop, . . . , A l-„ <j>rn Prop. Let u be a A-valuation 
of F. Suppose F h Prop. We define what it means for {A,^,v) to satisfy </>, 
(A, v) \= (p, as follows. 

If d{(^) < n, then ((A, v) \= cP) ^ [A^^ ^ ^ UV)- 

Otherwise, 

• (A, t;) ^ D V iff, for all A' D A and D if (A', v) ^ (p then 

• (A, w) ^ Va; : A.cp iff, for all A' D A and a e [A]^,, we have 
{A',^,v[x:=a])\=<p. 

Definition 5.12 (Satisfaction and Truth). Let F h J" be a judgement of 

An+i, and let w be a A-valuation of F. We define what it means for A and v 
to satisfy J, written (A, v) \= J, as follows: 

. iA,v)\=M:AiS(\Mr e fA]^. 

• {A,v) \= M = N : AiS (\M\)-" (jA^'P^. 

• (A, v)\=P prop iff A h„ dPP" prop. 

• {A,v)\=p=QiSAhn (]pr = OQr • 

• If d{(p) < n, then {A,v) |= <p Prop iff A h„ <\(i)Y Prop. 

• (A,u) 1= (?i = V iff for all (A,$,u) |= (^i (A, t;) \=ip. 

• (A, t;) ^ Vi) • • • , V'n ^ X iff, for all $, if (A, t;) ^ for 1 < i < n then 
(A,$,t;) ^x- 

• For all other judgement bodies J, we have (A, u) |= J7 for all A, u. 
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We say a judgement T \- J oi An+i is true iff, for every context A of An such 
that A l-„ vahd and every A- valuation v of T, (A, v) ^ J'. 

The following theorem shows that this interpretation is sound. 
Theorem 5.13 (Soundness) Every derivable judgement of An+i is true. 
The proof is given in Appendix [Appendix B.l[ 

Theorem 5.14 (Completeness) 

1. Let T \- be a judgement of An, and suppose J does not have the form 

// the judgement is true, and T h„ valid, then the judgement is 
derivable in An ■ 

2. Let r h . . . , (/),„ =^ -tp be a judgement of An- If the judgement is true, 
and we have T h„ valid and T h„ 0j Prop for i — l,...,m, then the 
judgement is derivable in An- 

Proof. 

1. Let Ir be the identity function on domP. Then Ir is a P- valuation of P 
and, for every expression X of An such that FV (X) C domP, 

So, suppose P h M : A is a judgement of An, and is true. Then 

(P, Ir) ^M:A 

and so P |-„ (\M\)^^ : A. But (\M\)^^ = M, and so P h„ M : A as required. 
The proof for the other judgement forms is similar. 

2. Suppose P h $ ^ -0 is true, where $ = 0i, . . . , 0^. We have that 

Ph$^(/., {i = l,...,m) 
and so (P, $, Ir) satisfies each 0;. Therefore, (P, Ir) satisfies -0, that is 

p h $ =^ V 

as required. 

Corollary 5.14.1 If J is a judgement of An derivable in An+i, then J is 
derivable in An- 

Proof. This follows almost immediately from the Soundness Theorem and the 
Completeness Theorem. There are just two facts that need to be verified: 

1. If P is a context of An, and P h„+i J , then P h„ valid. 

2. If P is a context of An', <f>i, - - - , 4>m are propositions of An', and P h^+i 
(/>!,..., 4>m 0; then P l-„ valid and P h„ Prop. 
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These are proven fairly easily by induction on derivations, using the Soundness 
and Completeness Theorems. 

Corollary 5.14.2 (Conservativity of T^ over T2) If J is a judgement of 
T2, and J is derivable in T^^, then J is derivable in T2. 

Proof. Suppose J' is derivable in T^^. Let n be the largest depth of type or 
proposition that occurs in the derivation. Then is derivable in An ■ Applying 
CoroUarv 15.14.11 we have that J is derivable in An-i, An^2, Ao- But 
derivability in Ao is the same as derivability in T2. 

5.3. Ti^U is Conservative overT^ 

The system T^U is the fragment of LTTq that includes all the types of T^, 
and the universe U, but does not include types such as [/ x [/, N — s> C/, or 
Set{U). It is defined in a similar manner to the systems An of the previous 
section, but using a new notion of depth. 

Definition 5.15 (T^C/). A type A of LTTq is a type ofT^U, iff either A = U 
or the symbol U does not occur in A. 

By a term (small proposition, proposition, context, judgement) of Ti^U, we 
mean a term (small proposition, proposition, context, judgement) of LTTq in 
which every type that occurs as a subexpression is a type of T^jU 

We say a judgement J7 oiTujU is derivable in TujU iff there exists a derivation 
of J' in LTTq consisting solely of judgements of T^jU ; that is, a derivation of J' 
in which every type that occurs is a type of Ti^U. 

We write T \-+ J iS the judgement T h J is derivable in T^U, and T J 
iff the judgement F h JT" is derivable in T^^. 

Note. The types of T^jU are not closed under x, — !> or Set ( ). For example, the 
types U X U and U U are not types of T^^C/. 

In order to prove T^^U conservative over T^^, we must find an interpretation 
of U and of the types T{M). We do this by interpreting the objects of T{M) as 
binary trees with leaves labelled by natural numbers. For example, the object 
((1, 2), 3) of type T((NxN)xN) wih be interpreted as the binary tree 
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1 2 



We interpret U as the set of all shapes of binary tree. We begin by inventing a 
syntax for the set of all shapes of binary trees: 
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Definition 5.16 (Shape). The set of shapes is defined inductively by: 

• • is a shape. 

• If S and T are shapes, so is 5 A T. 

We write ^ for the set of all shapes. 

The example tree above has shape (• A •) A •. 

We must thus associate each shape with a small type. This association is 
done formally by the following function: 

Definition 5.17. For every shape S € define the type ^{S) of as 
follows: 

^(•) = N 

^{SAT) EE ^{S) X ^{T) . 

There are two other gaps between T^U and T(^ to be bridged. In T^^, we 
can only eliminate N over N; in T^jU, we can eliminate over any small type. 
Likewise, in T^j, a small proposition may only involve quantification over N; in 
T^jU, a small proposition may involve quantification over any small type. 

We bridge these gaps by using the fact that every binary tree can be coded as 
a natural number. Given a bijection P : — >■ N, we can assign a code number 
to every binary tree. The binary tree above, for example, would be assigned the 
code number P{P{1, 2), 3). We shall define, for every shape S, mutually inverse 
functions 

codes : ^{S) N 
decodes : N ^ S-{S) 

Using these functions, we can interpret recursion over small types by recursion 
over N, and quantification over small types by quantification over N. 

We turn now to the formal details. The first step is to construct in T^^ the 
bijection P above, and the coding and decoding functions. 

Lemma 5.18 (Pedring Function) There exist Tui-terms 

P : N X N ^ N 
Qi : N N 
Q2 : N N 

such that the following are theorems of : 

Vx:N.V2/:N.Qi(P(x,2/))=NX ] 

yx:N.yy:N.Q2{Pix,y))=ny } (9) 
Va; :N.a;=NP(Qi(a;),Q2(a;)) J 
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Proof. Consider the three primitive recursive functions 



p{m,n) = 2"(2n + l) 

q{n) = the greatest m such that 2"* divides n 
r(n) = l/2(n/29(") - 1) 

It is straightforward to define terms P, Qi and Q2 in T^^ that express q and 
r and prove the three formulas (jO)). 

Fix three such terms P, Qi and Q2 for the sequel. 

We shall also need a notion of equality on every small type in T^, not just 
N. This is defined as follows. 

Definition 5.19. Given T^j-terms M and N and a T^^-type define 
the T^^-proposition M =a N as follows. 

M N = M =N 

M ^AxB N = 7ri(M) vri(A^) A tt2{M) t^2(N) 

M =A^B N = \/x: A.M{x) =b N{x) 

M =sct(A) iV EE Va; : A.{x M ^ x ^a N) 

Definition 5.20 (Coding Functions). For each shape S 6 S^, define 
the T^^-terms 

codes : ^(5") ^ N 
decodes : N ^{S) 

as follows. 

code, = Xx : N.x 

decode, = Aa; : N.x 



codesAT = Xp ■■ ^{S) X ^(T).P(codes(7ri(p)),codeT(^2(p))) 
decodesAT = An : N.(decodes(Qi(ri)), decodeT(Q2(^i))) 

Lemma 5.21 For every shape S, the following are theorems ofTi^: 

Vp : ^(S').decodes(codes(p)) =^{s) P 
Mn : N.codes(decodes(n)) =n n 

Proof. The proof is by induction on S, using the properties of P, Qi and Q2 
from Lemma [5. 181 

We can now proceed to define our interpretation of T^jU in terms of T^^. 
The definition is more complex than the interpretation in the previous section, 
because the type-theoretic component of T^U is dependent, so we must define 
our interpretations of terms and types simultaneously. 
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Definition 5.22. Let A be a context of T^, and v a function. We define the 

following simultaneously. 

• Given a T„i7-term M and a function v, define the object (\M\)^ as follows. 

dxr ^ vix) 

dor = 

(\sMr ~ s(\Mr 

(](M,7v)^xsr - mrANrhArxuBr 

dXx : AM : BD" ~ Aa; : (]A|)^(]MP''[^^=^] : dSD" 



(\MxNr ^ (\MrA(\Nr 

(\{x:A\PW - {x : N^^r'"^="l} 

(\Ef,i[x]TiK),L, [x,y]M,N)r ^ decodes(fl^|).)(R(codes(o)(dLr'), 

[x,y]codesis.)mr')ANr)) 
where S{N) = dis:|)^[^^=^l and ?/ = -^[2; := x,y := dccodes(^)(y)]. 
Given a type A^U oi T^U, define a type of T^. 

(\Nr = N 

(\AxBr ^ d^rx^^r 
d^^Bp'' ~ (\Ar^(\Br 

(]T(M)r ~ T((]MP'') 
(]Set(A)r ~ Set{ilAr) 

Given a T^,{7-type A, define a set and an equivalence relation 
on [AY^ as follows. 

If A ^ J7, then 



lAf = {M \Ah+M: (\Ar} 



Otherwise, 



u 



S^'i^.T ^ S = T 



• Let r = xi : ^1, . . . , Xm ■ Am be a context of T^U. We say that u is a 
A-valuation of F iff v{xi) € [AJa for i = 1, . . . , n. 
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• Given a small proposition P of T^U, define a small proposition ^P\)'" of 
T„ as follows. 

(\M^=NM2r ^ code(|jv|).(^Mir)=NCode^ivD''(^^2r) 

• Given a proposition (j) of Tt^[/ that does not include a quantifier over [/, 
define a proposition d^D" of T^j as follows. 

dy(p)r ^ v^((]pr) 

Recall that we write Ah" J^iffAhjT'is derivable in T^;. 

Definition 5.23 (Satisfaction). Let $ = i^i, . . . , (pm be a sequence of propo- 
sitions of such that A (bi Prop. Let u be a A-valuation of F. Suppose 
T \- (j) Prop. We define what it means for (A, $, v) to satisfy (j), (A, $, v) |= 
as follows. 

If (j) does not involve quantification over U, then 

((A,$,t;) ^0)^(Ah-$^d#'') • 

Otherwise, 

• (A, ^ (/) D V iff, for ah A' D A and D if (A', w) ^ then 
(A',$',^;) hV'- 

• (A, t;) 1= Va; : iff, for all A' D A and a e we have 
(A',$,t;[ar:=a]) H<^- 

Definition 5.24 (Satisfaction and Truth). Let P h ^7 be a judgement of 
Tj^.C/. Let A valid, and let u be a A-valuation of P. We define what it 
means for A and v to satisfy J , (A, v) \= J ^ as follows. 

• If ^ ^ [/, then (A,!;) \= A type iff d^])^ is defined. 

• YiAi^Ui^B, then {l\,v)\^ A = B iff <\AY = <\BY ■ 
. (A,z;)hM:AifrdMr e[A]l. 

. (A, t;) h M = TV : A iff (JM^ • 
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• (A,w) \= P prop iff A h- flP^" prop. 

. (A,«) h ^ = Q iff A h-^ v(flpr) ^ ^^(flQr)- 

• li (f) does not include a quantifier over U, then (A, w) |= Prop iff 
A h- m Prop. 

• (A, w) 1= = -0 iff, for all $, we have (A, ^,v) \= (j) iff (A, $, v) \= tp. 

• (A, w) 1= . . . , 0„i ^ V iff: for aff $, if (A, $, w) |= for i = 1, . . . , m 

then (A, |= i/j. 

• For all other judgement forms, we have (A, v) \= J for all A, v. 

We say a judgement F h J7 of T^jC/ is true iff, for all A such that A h~ valid 
and all A-valuations v of F, (A, v) ^ J'. 

Remark. This interpretation uses the propositional equality defined in Defini- 
tion I5.19[ whereas our interpretation in the previous section used judgemental 
equality. This is because the properties of our coding and decoding functions 
can be shown to hold up to propositional equality (as in Lemma l5.2ip . but not 
up to judgemental equality. 

We now prove that the interpretation is sound. 

Theorem 5.25 (Soundness) Every derivable judgement in T^U is true. 

The proof is given in Appendix [Appendix B.2[ 

Theorem 5.26 (Completeness) IfT ^ J is a judgement ofT^ that is true, 
and F valid, then T \- is derivable in . 

Proof. Exactly as in Theorem 15. 141 

Corollary 5.26.1 If is a judgement of T^j derivable in T^U , then J is 
derivable in T^^ . 

Proof. Similar to CoroUarv lS. 14.11 

5.^. LTTq is Conservative over T^jJJ 

The next step in our proof is to apply the same method to show that LTTq 
is conservative over T^jt/. The proof is very similar to Section [5.21 but the 
details are more complicated, because we are now dealing with LTTs whose 
type theoretic components use dependent types. 

Once again, we introduce an infinite sequence of subsystems between 
and LTTq: 

T^C/ = Bo Si 62 • • • LTTo 
We do this using a new definition of the depth of a type: 
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Definition 5.27 (Depth). Define the depth D{A) of a type A of LTTq by 



D{N) = 



D{A X B) = 
D{A -^B) = 
D{Set (A)) = 




max{D{A),D{B)) + 1 

if D{A) = 

D{A) + 1 otherwise 



max{D{A),D{B)) + 1 








otherwise 



if D{A) = D{B) = 



if D{A) = D{B) = 



otherwise 



D{U) = 1 

D{T{M)) = 



We define the depth of a proposition 0, -D(0), to be the largest depth of a type 
A such that the quantifier Va; : A occurs in 0, or D{^) = if is quantifier-free. 

Note that the types of T^U are exactly the types A such that D{A) < 1. 
The subsystems B„ are defined as follows. 

Definition 5.28 (B„). Let n > 0. By a type (term, small proposition, propo- 
sition, context, judgement) of Bn , wc mean a type (term, small proposition, 
proposition, context, judgement) of LTTq that does not contain, as a subex- 
pression, any type A such that D(A) > n. 

We say a judgement J7 of B,-,, is derivable in Bn iff there exists a derivation 
of J" in LTTq consisting solely of judgements of Bn, that is, a derivation of J in 
which no type A occurs such that D{A) > n. In this section, we write F l-„ ^ 
iff the judgement T \- J is derivable in Bn- 

We define an interpretation of B„+i in terms of B„: 

Definition 5.29. Fix n > 1. Let A be a context of B„, and v a function. We 
define the following simultaneously. 
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Given a term M of define the object d-BD". 



(\xr ^ v{x) 
(\or = 

(|sM|)" - silMl)" 

(\Ef,{[x]T{K),L,[x,y]M,N)r 

^ En{[x]Tmr^^'-=''^)ALr, 

[x,y](\Mr^---=-'y-=y\(\Nr) 

\{I\M\)\I\N\)^) ifD{AxB) = n+l 

r^J^D^xdsr^jj^j),,) i{D{AxB)<n 
jniCdM^") ifD{AxB)=n + l 



(\{M,N)axb\) 



(\Xx : AM : B\)' 
l\M{N)A^Br 

(i{x:A\ P}r 



TT. 



(dMf) if D{AxB)<n 



^HaCdM^") ifD{AxB)=n + l 

'Xx : d^f .dM^''[^^=^l : (JBD" 

if D{A B) <n 

(a;jAf|)"[=^^=^l) ifD{A^B) = n + l 

UMrmrhAr^m^ if D{A ^B)<n 
IdMpOdiVD" ifD{A^B)=n + l 

N 

dM^xdiVr 

f{x : (\A\)'' I dPD''[^^=^l} if r>(Set {A)) < n 

1 (a;,dPD''l^^==^l) if D(Set (A)) = n + 1 



Given a type A of Bn+i such that -D(A) < n, define the type d^D" of 



= N 

(\AxBr ^ (\Arx(\Br 

dT(M)r ^ rmr) 

dSet(A)r ^ Set(d^r) 



Given a small proposition P of Bn+i, define the small proposition d^D^ 
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as follows. 

Given a type A of Bn+i, define a set [^]^ and an equivalence relation 
on this set. 

If D{A) < n, then 

lAjl = {M|Ah„M:Pr} 

Otherwise, 

lAxBjl = {{M,N)\Ah^M:(\Ar,Ah^N:(\Br} 

(M, N) '^i'^^ (M', iV') ^ A h„ A/ M' : ^ A^" 

AA h„ iV ^ AT' : dSP" 



[A^SII - {{x,M)\A,x:(]Ar^M:(]Br} 

{x,M)^i-:^ {x,M') ^ A,x:(\Ar^M = M':(\Br 

lSetiA)ll = {{x,P)\A,x:(\Ar^Pwop} 

(x,P)^if^) ^ A,x:llA\rhP = P' 



• Given a context F = xi : Ai, . . . , Xm ■ Am of i3„+i, we say that i; is a 
A-valuation of F iff £ I^iJa f'^'" each i. 

• Given a proposition (/) of B„+i such that -D(0) < n, define the proposition 
(|0D" as follows. 

dy(p)r ^ v^(opir) 

We define what the notion of satisfaction (A, ^ V' similarly to Defini- 
tion EH] 
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Definition 5.30 (Satisfaction). Let $ = 0i, . . . , be a sequence of proposi- 
tions of An such that A |-„ (pi Prop, . . . , A h„ <j>rn Prop. Let w be a A-valuation 
of F. Suppose r \-n+i Prop. We define what it means for (A, v) to satisfy 
(j), (A, 1= (f), as follows. 

If D{^) < n, then ((A, i;) ^ 0) ^ (A h„ $ ^ ^0^"). 

Otherwise, 

• (A, $, w) h </) D iff, for all A' D A and $' 3 $, if (A', u) ^ </> then 
(A',$',«) hV'- 

• (A, u) h Vx : iff, for all A' D A and a e we have 
(A',<i>,z;[a; a]) h 0- 

Definition 5.31 (Satisfaction and Truth). Let F h J7 be a judgement of 
Bn+i- Let A h„ valid and w be a A-valuation of F. We define what it means 
for A and v to satisfy J', (A, v) \= J', as follows. 

• IiD{A) < n, then (A, v) \= A type iff {Af^ is defined and A h„ type. 
If D{A) then (A, v) \^ A type iff |^]^ is defined. 

• If D{A),D{B) < n, then {A,v)^A^B iff = and 

= i-L) and A h„ = ^i^r- 

If D(^) = D{B) = n + 1, then (A,?;) h ^ = ^ iff (Af^ = (Bf^ and 

. (A,i;)hM:^iff(|MreIA]A. 

. {A,v)^M = N:Am (\Mr ^1. QiVD" 

• (A, v)^ P prop iff A h„ ^P[)" prop. 

. (A,t;) hP = Qiff Ah„ = ^Qr 

• If < n, then (A, v) \^ (j) Prop iff A h„ Prop. 

• (A, 1= = i/' iff, for all we have (A, ^,v) \^ (j) iff (A, $, |= -(/'■ 

• (A,ti) ^ "01, . . . ,'0m X iff, for all $, if (A, <!>,■(;) satisfies for all i, 
then (A,$,i;) satisfies x- 

• For any other J, we have (A, v) \^ J' for all A, w. 

We say F h J7 is true iff, whenever A h„ valid and w is a A-valuation of F, then 

Theorem 5.32 (Soundness) Every derivable judgement in Bn+i is true. 
Proof. Similar to Theorems 15. 131 and 15.251 
Theorem 5.33 
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1. Let T \- J be a judgement of Bn, and suppose J does not have the form 
^ ^ tp. If the judgement is true, and T h„ valid, then the judgement is 
derivable in Bn- 

2. Let r h (/)!,..., => ^ be a judgement of Bn. If the judgement is true, 
and we have T l-„ valid and T h„ 0j Prop for i ~ l,...,m, then the 
judgement is derivable in Bn- 

Proof. Similar to Theorem 15. 141 

Corollary 5.33.1 If J is a judgement of Bn derivable in Bn+i, then J is 
derivable in Bn- 

Corollary 5.33.2 If J is a judgement ofT^U derivable in LTTq, then J is 
derivable in T^ujU - 

With this final step, we have now completed the proof of the conservativity 
of LTTo over ACAq: 

Corollary 5.33.3 Let (j) be a formula of second order arithmetic with free vari- 
ables Xi, . . . , Xm, Xi, - - - , Xn- If 

xi : N,..-,Xrn ■- N,Xi : Set (N) , . . . , X„ : Set (N) 
in LTTo then ACAq h cj). 
Proof. Let J be the judgement 

ii : N, . . . ,a;™ : N,Xi : Set (N) , . . . : Set (N) i^- 
Suppose J is derivable in LTTq. Then 

J is derivable in T^C/ (Corollary [5J33) 

.'. is derivable in Tui (Corollarv l5.26.l| ) 

.-. J' is derivable in T2 fCorollarv l5.14.2j) 

.-. ACAo h (j) (Corollary HXI]) 



6. Other Conservativity Results 

6-L Conservativity o/LTTg over AC A 

Our proof method can be adapted quite straightforwardly to prove the con- 
servativity of LTTq over ACA. We shall present these proofs briefly, giving only 
the details that need to be changed. 

We define subsystems of LTTq: 

T2 ^ T* T^U* ^ LTTq 

T2 is formed from T2 by allowing the rule (IndN) to be applied with any analytic 
proposition cf). In the same manner, T* is formed from T^^, Ti^U* is formed from 
TuiU, and LTTg is formed from LTTq. 

The proof of the conservativity of LTTq over T2 follows exactly the same 
pattern as in Section O 
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Theorem 6.1 Theorem\J^ holds for and ACA. 



Proof. Similar to the proof of Theoreni l4.2l 

Similarly, Corollary [5312] holds for T* and T*, CoroUary holds for 

T^J7* and T* , and CoroUarylOSJ holds for LTT* and T^U*. This completes 
the proof that LTTq is conservative over ACA. 

6.2. Conservativity o/ACAo over PA 

As a side-benefit of this work, we can easily produce as a corollary another 
proof that ACAq is conservative over Peano Arithmetic (PA). We can define a 
system Ti with just one type, N, in its type-theoretic component. We can apply 
our method to show that T2 is conservative over Ti , and that Ti is conservative 
over PA; we omit the details. 

Combining all these proofs, we can produce the following elementary proof 
that ACAq is conservative over PA, which proceeds by interpreting the formulas 
of ACAq as statements about PA. To the best of the authors' knowledge, this 
proof has not appeared in print before. 

Theorem 6.2 ACAq is conservative over PA. 

Proof. Define a PA-jormula to be a formula in which no set variables (bound 
or free) occur. 

Let V be a set of variables of L. A valuation of V is a function u on V such 
that: 

• for every number variable a; G V, v{x) is a term of PA; 

• for every set variable X e V, v{X) is an expression of the form {y \ 0} 
where is a PA-formula. 

For t a term, let v{t) be the result of substituting v{x) for each variable x in t. 

For (f) a formula of L, let v{<j)) be the PA-formula that results from making 
the following replacements throughout 0. 

• Replace each atomic formula s — t with v{s) = v{t). 

• For each atomic formula t G X, let v{X) = {y \ ■;/;}. Replace t G A" with 

[v{t)/y]il;. 

Define what it is for a valuation v and PA-formula V' to satisfy an L-formula 
(j), (u, V') h 01 follows. 

• If is arithmetic, (u, ■(/;) H iff ^ 3 w(0) is a theorem of PA. Otherwise: 

• (w, '0) ^ D X iff, for any PA-formula -0', if (w, ■0 A tl)') |= 
then (u, i/j Alp') \= x- 

• {v,ip) \= Vx0 iff, for every term t, {v[x := t],^p) \= </>. 
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• {v,iIj) \= yX(f) iff, for every PA-formula x, {v[X :— {y \ x}]i'4') \= 4>- 

Let us say tliat a formula (/> of L is true iff {v,x — x) ^0 for every valuation v. 
We prove the following two claims: 

1. Every theorem of ACAq is true. 

2. Every PA-formula that is true is a theorem of PA. 

The first claim is proven by induction on derivations in ACAq. As an example, 
consider the axiom 

vx((/) D V) 3 ((/) D yxip) 

where X ^ FV (0). Fix v and x^ ^-nd suppose 

(i;,x) hVX(0D V-) • 

We must show that (w, x) |= </> D VXip. 

Let x' be any PA-formula, and suppose {v,x ^ x') \= 4'- Let r be any PA- 
formula; we must show that {v[X := {y \ r}], x A x') h 4>- Since X ^ FV (0), 
we have that 

{v[X |r}],xAx') h0 

We also have {v[X := {y \ r}], xAx') h ^ V', and so {v[X {y \ r}], xAx') \= 
ip as required. 

The second claim is proven using the valuation that is the identity on FV (</>). 
It follows that, if a formula of PA is a theorem of ACAq, then it is a theorem 
of PA. 

Remarks. 

1. The same method could be used to show that Godel-Bernays set theory 
is conservative over ZF set theory. 

2. Another proof-theoretic method of proving this results is given in Shoen- 
field 1^. That proof relies on some quite strong results about classical 
theories; our proof is more elementary. However, Shoenfield's proof is con- 
structive (giving an algorithm that would produce a proof of _L in PA from 
a proof of _L in ACAq) and can be formalised in PRA; ours has neither of 
these properties. 

6.3. ACA+ 

An argument has been made that the system ACKq corresponds to Weyl's 
foundation p. 135], claiming that its axiom schema of w-iterated arithmeti- 
cal comprehension 'occurs in the formal systems defined by Weyl and Zahn', 
presumably a reference to Weyl's Principle of Iteration 0, p. 38]. 

The axioms of ACAj are the axioms of ACAq together with the follow- 
ing axiom schema of uj-iterated arithmetical comprehension. Assume we have 
defined a pairing function {x,y) in ACAq. We put 

iX),={n:{n,j)eX}, (Xy ^ {{m,i) : {m,i) e X A t< j} . 
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Then, for every arithmetical formula (j)[n, Y] in which X docs not occur free, 
the following is an axiom: 

3X\/jyn{n G {X)j ^ {Xy]) . 

The translation we gave in Section [331 is a sound translation from AC A J into 
LTTw . It is difficult to construct a subsystem of LTT-yv that is conservative over 
ACAJ, however. A natural suggestion would be to extend LTTq by allowing 
to take either a small type, or the type Set (N); let us call the system produced 
LTT|| . Then LTT J is indeed conservative over T^ , the extension of T2 with a 
new constructor 

r h L : Set (N) T, .t : N, F : Set (N) h M : Set (N) 
r h iV : N 

r h R+(L, [x,Y]M,N) : Set (N) 

and appropriate equality rules. 

However, it seems unlikely that T^ is conservative over ACA^J". In particular, 
there seems to be no way to interpret terms that involve two or more applications 
of In LTTfj', we may iterate any definable function Set (N) — !> Set (N). In 
ACAJ, we may only iterate those functions that are defined by an arithmetic 
proposition; and not every such function definable in ACA(J" is defined by an 
arithmetic proposition. 

7. Conclusion 

We have constructed two subsystems of LTTw, and proved that these are 
conservative over ACAq and ACA respectively. We have thus shown how, using 
LTTs, we can take a system like ACAq or ACA and add to it the ability to 
speak of pairs, functions of all orders, sets of all orders, and a universe of types, 
without increasing the proof-theoretic strength of the system. 

We have also begun the proof-theoretic analysis of LTTw- We now know 
that LTTw is strictly stronger than LTTq, and hence ACAq. The subsystem 
LTTq is quite a small fragment of LTTw, and so we conjecture that LTTw 
is strictly stronger than LTTq, and hence strictly stronger than ACA. Once 
this conjecture is proven, we will have quite strong evidence for our claim that 
Weyl's foundation exceeds both ACAq and ACA. 

The method of proof we have given is quite a general one, and should be 
applicable in many other situations. It does not rely on any reduction properties 
of the type system, and so could be applied to type systems that are not strongly 
normalising, or do not satisfy Church-Rosser (or are not known to be strongly 
normalising or to satisfy Church-Rosser). It provides a uniform method for 
proving types redundant; we were able to remove products, function types, 
types of sets, and the universe from LTTq. 

Furthermore, the method allowed us to separate these tasks. We were able to 
remove U separately from the other types, and to use a different interpretation 
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to do so. In Sections 15.21 and 15.41 for example, we interpreted judgemental 
equality by judgemental equality; in Section 15.31 we interpreted judgemental 
equality by propositional equality. Our method is thus quite powerful; we did 
not have to find a single interpretation that would perform all these tasks. 

A proof of our conjecture that LTTw is stronger than LTTg has very recently 
been discovered, by the first author and Anton Setzer. The proof theoretic 
strength of LTTw is in fact (j>gg{0). A paper presenting the proof of this result 
is in preparation. 

For future work, we should investigate more generally how adding features 
to an LTT changes its proof-theoretic strength. This will be a more difficult 
task, as we will need to investigate what effect induction and recursion have 
when they are no longer confined to the small types and propositions. We are 
particularly interested in the differences between LTTs and systems of predicate 
logic; for example, in how the strength of an LTT changes when we modify the 
type-theoretic component but not the logical component. 

Finally, we note that there are striking superficial similarities between our 
work and Streicher 17|, who also gave interpretations to type theories. Like our 
interpretations, his were first defined as partial functions on the syntax, then 
proven to be total on the typable terms by induction on derivations. He also 
made use of a 'depth' function on types. Our work is not a direct application 
of his, but it remains to be seen whether there are formal connections that can 
be exploited. 
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Appendix A. Formal Definition of Systems 

We present here the definition of LTTw and the two principal subsystems 
used in this paper. 
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Appendix A.l. LTTw 

The syntax of LTTw is given by the following grammar: 

Type A ::= N \ Ax A \ A^ A\U \ T{M) \ Set {A) 

Term M ::= x | | s M | £^([3;] A, M, [x, x]M, M) \ 

(M,MUxA|7r^^^^(M)|7r2^x^(M)| 
Ax : A.M : A \ M{M)a^a | N | MxM | 
{x:A\P} 

small Proposition P ::= M=mM \ 1 \ PdP l^x : M.P \ MGaM 
Formula (/) ::= M =m M \ ± \ (/> D (j) {Vx : A.(t) \ V{P) 

We write ^(j) for (j) D -L, and M Ga N for V{MGaN). 
The rules of deduction of LTTw are as follows: 

Appendix A. 1.1. Structural Rules 

r\-A type r h valid 

(x ■ A G D 

h valid r,a;: Ah valid T \- x : A 

r^M-.A ThM = N:A T h M = N : A T ^ N = P : A 



T\-M = M:A T\-N = M:A T h M = P : A 

ri-7ltype T^A = B T\-A = B T\-B = C 

rV-A = A rhB = A ThA = C 

T\-M:A r\-A = B F \- M = N : A ThA = B 

Th M : B Th M = N : B 

r h p prop rhP = o rhP = Q t^q = r 



rhP = p rhg = p rhP = p 

r\- (j) Prop ri-(/) = v ri-(/) = v ^^iP = x 



r h ^1 Prop • • • PI- (/)„ Prop ri-$^0 T\-<l) = ip 

Appendix A. 1.2. Natural Numbers 

F h valid F h valid FI-M:N FI-M = M':N 



FhNtype FhO:N FhsM:N FhsM = sM':N 

F,a;:NhCtype F h L : [0/a;]C 

(En) T,x:N,y:C\-M: [sx/x]C F h AT : N 

F h EN([ar]C, L, [ar, y]M, N) : [7V/a;]C 
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r,x:NhC = C" ThL = L' : [0/x]C 

(En=) T,x:N,y:C[-M = M':[sx/x]C T ^ N = N' : N 

r h Ej^{[x]C, L, [x, y]M, N) = Efi{[x]C' , L' , [x, y]M' , N') : [N/x]C 

r,a;:NhCtype T h L : [0/a;]C 
(EnO) T,x:N,y:Ch M : [sx/x]C 

r h En([x]C, L, [x, y]M, 0) = L : [0/x]C 

r,a;:NI-Ctype T\-L:[Q/x]C 

T,x:N,y:C^ M :[sx/x]C T h TV : N 
(En s) 

rhEfi{[x]C,L,[x,y]M,sN) 

= [7V/a;,EN([x]C,L, [x, 2/]M, Af)/2/]M : [sN/x]C 

r, X : N h </) Prop T h : N 

(Indw) rh$^[0/x]</. r,a;:Nh$,(/.^ [sa:/a;]0 
r I- $ ^ 

Appendix A. 1.3. Pairs 

Th A typo r h B type rh^ = A' rhB = B' 
r h ^ X S type r h (A X B) = (A' X B') 



rhM:A rhiV:B 



r\-A = A' r\-B = B' 

M = M' :A r\- N = N' -.B 



THM,NU^,:A.B r h (M, iV^ = (M', iV' ^ : A x B 
ri-M:AxB 



rhM = M':AxB 



rhTT^x (M):A rh7rfx«(M) = ^f'><^'(M'):A 
r h M : A X B 



ri-A = A' B = B' 
M = M' :AxB 



M : A T\- N : B T \- M : A T ^ N : B 



r h Trf x«((M,iV)^xB) = M : A {{M, N)axb) = N : B 

r,z : Ax B'r (p Prop T h M : A x B 
(etax ) ^h$=>[(7r^^x^(M),7r,^x^(M))/z]<^ 



F h $ ^ [M/z](j) 
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Appendix A. 1.4- Functions 

rh^type rhStype T\-A = A' T\-B = B' 



T\-A^B type T \- {A ^ B) = {A' ^ B') 

T'r A = A' B = B' 
T,x : A\- M : B T,x : Ah M = M' : B 



r h (Aa; : A.M ■.B):A^B T h (Ax : A.M : B) 

= {\x : A'.M' :B'):A^B 



Th M :A^B T\-N :A 



Th A = A' Th B^B' 

M = M' -.A-^ B T h N = N' : A 



r h M{N)a^b : B 



r h MiN)A^B = M'{N')a'^b' : B 
r,x : Ah M : B T h N : A 



r h (Ax : A.M : B){N)a^b = [N/x]M : [N/x]B 

r,z : A-^ B\- (j) Prop T \- M : A B 
(eta^) T\-^^[Xx: A.Mjx) : B/z](l) 

r h $ ^ [M/z](f) 

Appendix A. 1.5. Typed Sets 

Th A type T h A = A' 



r h Set {A) type T h Set {A) = Set (A) 
T,x : A\- P prop T \- A = A T,x : A\- P = P' 



Th{x:A\P}:Set{A) T h {x : A \ P} = {x : A \ P'} : Set {A) 

V ^ A — A' 

rhM:A r h _Y : Soi ,\ 

r h M ^ M' : A r h iV = TV' : Set (A) 

ThMGAN prop ThiMGAN) = {M'GA'N') 

T\- M :A r,x: Ah P prop 

r h {M€a{x ■.a\p}) = [m/x]p 



44 



Appendix A. 1.6. The Type Universe 

r h valid Th M -.U T\- M = M' -.U 



r\-U type r h T(M) type T h T(M) = T(M') 
r h valid r h valid 



r h N : Z7 r h T(N) = N 
T\- M lU T\- N lU M = M' -.U N = N' -.U 



T\-MxN:U T\- {MxM') = {NxN') :U 

M -.U N:U 



r h T{MxN) = T{M) X T{N) 
Appendix A. 1.7. Classical Predicate Logic 

r h valid r h Prop T h $ _L 
r h _L Prop r h $ ^ 

4> Prop r h ^ Prop T 'r 4> = (j)' V \- ip = ip' 

r h D ^ Prop r h (<?i D V) = 3 V'O 



r h <]> ^ ( lo!)) 

(DN) — 

r h $ ^ (/) 

r,a;:Ah0Prop P h A = A' P, a; : A h (?i = 



r h Va; : A.(j) Prop P h (Va; : A.^) = (Va; : A' .cj)') 
rh<^iProp ••• rh0„Prop T^^^^x-.A.d) V ^ M : A 



Vr (i)i,...,(j)n^yx : A.tp 
Appendix A. 1.8. The Propositional Universe 

r h P prop P h P = Q 



P h $ ^ [M/x\ 



T h V{P) Prop r h y(p) = y(Q) 
r h valid P h valid 



P h ± prop P h = ± 

P h P prop r h prop PhP = P' Pho = g' 
P h PdQ prop P h (PdQ) = (P'Dg') 
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r h P prop T h Q prop 



r h v{pdQ) = (F(P) D viQ)) 

r,a; : r(M) h P prop T h M = M' : t/ T, x : T(M) h P = P' 
r h Vx : M.P prop T h (Vx : A/.P) = (Vx : Af'.P') 

r,a; : T(M) h P prop 
r h V(yx : M.P) = (Vx : T(M).\/(P)) 

Appendix A. 1.9. Equality 



r h Ml : T{N) r h Af2 : r(^) 

T\- {Mi^N M2) Prop 



r h AT = TV' : f7 
r h A'/i Af( : T{N) 
r h Afa = Af^ : r(A) 

r h (A//i =jv A//2) = {M[ M'^) 



Vr (j)i Prop • • • r h (/)„ Prop 
F h AT : T[N) 

T,x : T{N) h (/) Prop 

(subst) r h $ ^ Afi =Ar Af2 r h $ ^ [Afi/x](/. 

r h $ ^ [Af2/x]0 



r h Ml : T(N) r k A/2 : T{N) T h Mi - M[ : T{N) 

- t L_: r h Af2 = Af^ : T{N) 

T h (A/i=^M2) prop rh(Afi=^A/2) = (Af{-A.Af^) 

F h Afi : T{N) F h A/2 : T(iV) 
F h y(A/i=jvM2) = (A/i =Ar A/2) 

Appendix A. 1.10. Differences from Previous Presentation 

The above presentation differs from the one in [f3| in a few respects. In that 
paper, we constructed LTTw within the logical framework LF'. Here, we have 
presented LTTw as a separate, stand-alone formal system. The constant Peirce 
in has been replaced with the rule (DN) , the constant /^ has been replaced 
with the rule (eta_>.), and the constant /x has been replaced with (etax). 

It is not difficult to show that the two presentations are equivalent. These 
changes have been made in order to simplify the definition of the interpretations 
in Section [5j 

In 0, we introduced a proposition 'prop', and used the proofs of 'prop' 
as the names of the small propositions. We also discussed the possibility of 
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making 'prop' a type. In this paper, we have taken a neutral option: we have 
used a separate judgement form F h P prop. The system we present here can be 
embedded in both the system that has 'prop' a proposition, and the system that 
has 'prop' a type. It can be shown that these two embeddings are conservative. 

Appendix A. 2. LTTq 

The subsystem LTTq is formed from LTTw by making the fohowing changes. 

1. Whenever the rules (En), (En =), (EnO) or (Ens) are used, the type A 
must have the form T{K). 

2. Whenever the rule (IndN) is used, the proposition <j) must have the form 
V{P). 

3. Whenever the rule (subst), (etax) or (eta^) is used, then for every quan- 
tifier Vx : j4 in the proposition (/>, the type A must not contain the symbol 
U. 

4. The following rule of deduction is added: 

r h 01 Prop • • • r h 0„ Prop Fh M : N 

(P3) 

Fh0i,...,0„=»-(O=pjsM) 

Appendix A. 3. LTTq 

We say a proposition (p is analytic iff, for every quantifier Vx : A in cf), either 
A = T{M) for some Af, oi A = Set (N). 

The subsystem LTTq is formed from LTTw by making the following changes. 

1. Whenever the rules (En), (En =), (EnO) or (Ens) are used, the type A 
must have the form T{K). 

2. Whenever the rule (IndN) is used, the proposition <j) must be analytic. 

3. Whenever the rule (subst), (etax) or (eta^) is used, the proposition </) 
must have the form V{P). 

4. The rule of deduction (P3) is added. 

Appendix B. Proof of the Soundness Theorems 

We present here the proofs of two of the Soundness Theorems in this paper. 

Appendix B.l. Proof of Theorem \5.13\ 

We begin by proving the following properties of our interpretation: 

Lemma Appendix B.l //AC A', then {Aj^ C [Aj^, and (~^) C (-^,)- 

Proof. The proof is by induction on A. 

Lemma Appendix B.2 

1. Let M be a term and X an expression of An+i- Let v' = v[x := (]Af|)^]. 
//(|MD" is defined, and d^O" is defined, then (\[M/x]X\)^ is defined, and 
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2. Given a term M of An and expression X ofAn+i, we have [M/x](\X\)'" ~ 

where, for all y G domw, u{y) = [M/x\v[y). 

3. // (\M\j-" and are defined, then (\[M/x\X\j-" is defined, and 

4. Ifv{x) = v'{x) for all x € FV(M), then = (\X\)''' . 

5. Suppose (A,$,u) \= 4>. // A C A', $ C anrf = v'{x) for all 
xeFY ((/)), then (A', v') ^ 

6. (A,<i>,z;) h [M/x]cj) iff{A,<i>, [M/x]v) h 

Proof. Part 1 is proven by induction on X, and part 2 by induction on N. 
Part 3 follows simply from the first two. The remaining parts are proven by 
induction on X or (j). 

Theorem 15. 131 is now proven by induction on derivations. We deal with five 
cases here. 

1. Consider the case of the rule of deduction 

T,x : Ah M : B T h N : A 
r h (Ax : A.{M : B)){N)a^b = [N/x]M : B 
By the induction hypothesis, we have 

A,x:A h„ p//r["^="l : B, A h„ (|iV|)^' : A 

and we must show A h„ (\{Xx : A.M){N)\)'" = (\[N/x]M\)'' : B. 
Suppose d{A B) < n. Then we have 

A h„ (Ax : A^M^''[^^=^l)(fliV|)^) = [(| A^^V^l^M^^I^^^^l : B . 

By the two claims above, we have [(|iV|)V2;]flM|)^[^^=^l = (\[N/x]M\)'' and 
the required judgement follows. 

Suppose now d{A B) = n+l. We must show A h (|(Ax : A.M){N)Y = 
(\[M/x\NY : B But 

(\{\x : A.M){N)\)'' EE (\\x: A.M\)''@(\N\}'' 

and so the required judgement is 
which is derivable in An- 
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2. Consider the rule of deduction 



r h * ^ [M/x]tP 

Suppose (4>, A, v) satisfies each member of '5. Then (<i>, A, v) \^\/x : A.-ip. 
We also have ^M^" e {Af^. 

If d(Va; : A.il)) < n, then we have A h $ ^ Va; : A.(\^P\)'' and A h : A, 

hence A h $ => [p/rD''/a:](|T/'|)^['^-"'^l, and this is the judgement required 
by Lemma I Appendix B.2[ 31 

If d(Va; : A.^p) = n + 1, then we have ($, A, v[x := (|Af D"]) h "0- Hence 
(<i>, A, v) \= [M/x]ip by Lemma [Appendix B.2[ 5]as required. 

3. Consider the rule of deduction 

r\-tp Prop Fh ^ ± 

F h ^' ^ V 
For this case, we need the result: 

If A h $ => ± then (A, u) |= V' for every proposition i/j of 

An+l- 

This is proven by induction on ip. 

4. Consider the rule of deduction 

F h * ^ -n^ih 

(DN) 

F h ^ V 

For this case, we need the result: 

If (A, $, v) ^ -^^(j) then (A, $, v) \= cf). 
If c?(0) < n, we have 

.-.A h $ ^ (l^Pl)" (DN) 
If c?(0) = n + 1 and (/) = -0 D x, we have that 

(A,<i>,z;) h--(^3x) • (B.l) 
Suppose Ai 3 A, $1 D $, and 

(Ai,$i,«)^V- (B.2) 

We must show (Ai,$i,i;) By the induction hypothesis, it is sufficient 

to prove (Ai,$i,i;) |= -i^x- So suppose A2 ^ Ai, $2 ^ and 

(A2,<i>2,i;) h-X • (B.3) 

We must show (A2,<I'2,i^) H -L- By (jB.ip . it is sufficient to prove that 
(A2,$2,^^) h -'('0 ^ x)- So suppose A3 D A2, $3 2 $2, and 

{A3,^3,v)\=^Dx ■ (B.4) 
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We have (A3, $3,?;) \= tp hy Lemma pVppendix B.2[ 51 so (A3, $3,1;) |= x, 
and hence (A3,<i>3,w) |= ± by (|B.3p . as required. 
The case d{(j)) — n + 1 and cj) = \fx : A.ijj is similar. 
5. Consider the case of the rule of deduction (Indw): 

r,a; : Nh V^(P) Prop T h iV : N 

r h $ ^ V{[0/x]P) r,x : Nh $,F(F) ^ V{[sx/x]P) 

r h $ ^ V{[N/x]P) 

This follows by applying (Indm) in An- Note that it is important here that 
V{P) must be a small proposition. 

Appendix B.2. Proof of Theorem \5.25\ 
We begin by proving 

Lemma Appendix B.3 //AC A', then [Al\ C [Al\, and (-^J C (-^,„ 
)• 

Proof. Similar to Lemma [Appendix B.l[ 

We prove that Lemma [Appendix B.2| holds for our new translation. The 
proof is similar. 

Theorem 15.251 is now proven by induction on derivations. We deal with one 
case here: the rule of deduction 

r, X : N h T{K) type T \- L : T{[{)/x\K) 

T,x -.n.y.TiK)^ M ■.T{[sxlx\K) F h iV : N 

(En s) 

rhEN(Hr(X),L,[x,2/]M,sA) 

= [N/x,^n{[x\T(K),L, [x,y]M,N)/y]M : T([s7V/x]if) 

Let w be a A-valuation of F. Inverting, the derivation includes F, a; : N h X : ?7, 
and so the induction hypothesis gives us 

g ^ whenever A h J : N. 

Let us define 

S{J) = ^if|)^[^^=^l 

Dj = decodes(j) 

Cj = codes(.7) 

F{J) = En(NT(X),L,[x,2/]M, J) 

We have the following chain of equalities provable in T^^: 

s i5,(l^l)(R(Co(flXP),[:r,y]a,(flMr[^--'''^=^==('')l),sOiVr)) 

= i?.(i^i)(c.(i^i)(flMrt^^=(|^»^''^=«^(^'|'i)) 
^ mi^,F{N)/y]Mr 

as required. 
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